Flaws in the machine
The researchers identified a long list of problems across mobile and desktop products, browser extensions and network devices. These include weak password policies, insecure backend communication and unprotected data storage.
They noted the following flaws in particular:
Blocksi parental control router was particularly vulnerable to uploaded malicious firmware. The KoalaSafe Dropbear server is also open to exploitation from threats outside a local network.
Several Android apps — FamiSafe, KidsPlace and Life360 — do not encrypt personal data on shared external storage. That means information such as a parent’s email address, PIN and phone numbers or even a child’s geolocation can be accessed by other apps. Other products that rely on custom browsers to restrict and filter web content do not observe basic safety protocols like HSTS.
Windows applications like Qustodio and Dr. Web use proxy servers that do not properly perform certificate validation and accept revoked certifications. And Chrome extensions Adult Blocker and MateCode Blocker download and run third-party tracking script, which can often provide camouflage for malicious scripts.
Mannan believes the security flaws are usually the result of poor design, but the privacy violations are likely deliberate.
“The developers are actually sending private, personally sensitive information to third-party vendors and trackers. Their only job is to collect information and monetize it,” he says. “The person who buys these products does not even know who these third parties are.”
Inadequate responses
The researchers did approach the companies whose products they found flawed. A few seemed to take their concerns seriously, while others responded with canned answers promising to look into the issues. Some did not bother to respond at all.
“The vendor should put more efforts to secure these solutions by conducting regular security audits and having a well-defined process to address vulnerabilities such as responsible disclosure and bug bounty programs,” Ali says.
The researchers recommend parents stay with the safeguards built into the operating systems. They may be basic, but they are effective.
“We found that in general, the more complicated the solution, the more bells and whistles it has, the more information it is lifting.”
The Office of the Privacy Commissioner of Canada Contributions Program partially funded this study.
Read the cited paper: “Betrayed by the Guardian: Security and Privacy Risks of Parental Control Solutions.”